Thanks to an Android OS security flaw, which allowed the developer to spy on the user. Android apps could take photos and record conversations without users knowing it.
According to a report released on Tuesday by cybersecurity firm Checkmarx, a major Android vulnerability gave attackers loads of permissions on to a smartphone without any consent from users. The flaw, namely CVE-2019-2234, allowed the app developers to gain undetectable access to the camera of a phone, turning an affected phone into a spying device. Checkmarx was also able to uncover all these vulnerabilities through a fake weather app, which they created as a demonstration.
Android Camera Flaw
The vulnerability gave access to stored media. Moreover, GPS data present on the photos and videos in the phone’s library. And also allowed the developer to tap on both sides of any phone conversation and record audio.
Yes, it gets worse. The phone’s proximity sensor could be used to let the attacker know when the phone was being used. The flaw also allowed the developer to record the phone calls. So the open camera app couldn’t be detected while taking photos or recording videos. The Attacker was even able to upload images and videos from the phone to a server if a user granted the app permission to access the device’s storage.
Checkmarx first discovered the flaw over the summer while researching the Google Camera app on a Google Pixel 2 XL and Pixel 3. Further investigation uncovered the same vulnerabilities in “camera apps of other smartphone vendors in the Android ecosystem,” including Samsung.
Google investigated the matter on its own and found that the vulnerabilities were not specific to Pixel devices. According to the search giant, this android flaw impact was much more significant and extended into the broader Android ecosystem, making turning them into a spy device, affecting multiple vendors. The company, however, says it addressed the issue via an update to the Google Camera App back in July 2019 within days of being informed of the problem. Samsung has also confirmed the findings and has started taking steps to mitigate the issue.